Multiple vulnerabilities in Apache Foundation Struts 2 framework. Csaba Barta and László Tóth

Transcription

1 Multiple vulnerabilities in Apache Foundation Struts 2 framework Csaba Barta and László Tóth 12. June 2008

2 Content Content... 2 Summary... 3 Directory traversal vulnerability in static content serving... 3 Double URL decoding vulnerability in findinputstream method... 4 Circumventing the.class filter in findstaticresource method... 6 Impact of the vulnerabilities... 7

3 Summary We identified three critical vulnerabilities in the Strus 2 framework. According to struts.apache.org: Struts 2 is an extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. ( Directory traversal vulnerability in static content serving Remote: Yes Risk: High Vulnerable systems: Struts and above were tested including beta version Immune Systems: No other version of Struts was tested If the requested URI starts with the /struts string, the dofilter method of the FilterDispatcher class calls the findstaticresource method, which serves the static content, as shown below: if (servestatic && resourcepath.startswith("/struts")) { String name = resourcepath.substring("/struts".length()); findstaticresource(name, request, response); else { // this is a normal request, let it pass through chain.dofilter(request, response); The first parameter ( name ) of the findstaticresource will contain the URI without the /struts string. If the request is the following (testing the strus2 blank example application which is distributed with struts2): The following response is sent by the web server, which is the lib folder of the Apache Tomcat: 3

4 Figure 1.: The content of the lib directory of Tomcat We tested some application where the served directory was the parent of the WEB-INF folder and we could browse and download files from it. Double URL decoding vulnerability in findinputstream method Remote: Yes Risk: High Vulnerable systems: Struts and above were tested including beta version. Immune Systems: No other version of Struts was tested The findinputstream function is responsible for loading the static content from the packages. This function is vulnerable to double URL decoding. The following code snippet shows the vulnerable part in the source code of FilterDispatcher class: protected InputStream findinputstream(string name, String packageprefix) throws IOException { resourcepath = URLDecoder.decode(resourcePath, encoding); return ClassLoaderUtil.getResourceAsStream(resourcePath, getclass()); If the attacker supplies double URL encoded special characters in the URL, the first decoding will be done by web server or application server. The findinputstream will be supplied with the simple URL encoded version of the character then the call to URLDecoder.decode function will result in the special characters decoded. The ClassLoaderUtil.getResourceAsStream function will be supplied with this decoded path. 4

5 Example: 1. The attacker supplies %252f in the URL 2. After the first decoding done by Tomcat the character will be decoded to %2f 3. After the call to URLDecoder.decode the character will be decoded to / This vulnerability can be exploited by an attacker to circumvent an URL filter or how the web server handles../. Example request: The response sent by the server: Figure 2.: Double URL decoding By supplying further..%252f the attacker can navigate trough the search path configured for the application and find files containing sensitive information (e.g.: application configuration, java classes (see the next section)). Figure 3.: Further navigating through the search path 5

6 Circumventing the.class filter in findstaticresource method Remote: Yes Risk: High Vulnerable systems: Struts and above were tested including beta version Immune Systems: No other version of Struts was tested The findstaticresource method implements a filter that is responsible for preventing the download of java class files. Here is the code snippet from findstaticresource: protected void findstaticresource(string name, HttpServletRequest request, HttpServletResponse response) throws IOException { if (!name.endswith(".class")) { for (String pathprefix : pathprefixes) { InputStream is = findinputstream(name, pathprefix); response.senderror(httpservletresponse.sc_not_found); The filter inspects the URL, and if the requested content s name ends with.class it denies serving it. It is possible to circumvent this filter by adding / to the end of the file name. For example (testing the strus2 blank example application which is distributed with struts2): The response sent by the server: Figure 4.: Downloading java class file 6

7 Because of the last / after the.class the upper mentioned condition will be met (the requested content doesn t end with.class it ends with.class/ ), and findinputstream will be called in a loop which will result in the class file served to the client. This security hole can be exploited by taking advantage of the previous vulnerability. Impact of the vulnerabilities A remote attacker may download application configuration files and java classes from the web server running vulnerable version of the framework. 7